Gullen v. Facebook
Renewed motion to dismiss denied – Facebook allegedly collected, stored, and used biometric data of individuals with no Facebook account without the notice or consent required under the Illinois Biometric Information Privacy Act (BIPA). The court referenced its reasoning in In re Facebook Biometric Litigation (below) to confirm plaintiff had standing.
Additionally, the court found that despite Facebook’s claims it stored no biometrics of non-users, it offered no evidence to support those claims. Since ruling on such claims required a review of disputed facts, such a decision on the merits was better suited for summary judgment or at trial.
[N.D. CA; 3:16-cv-00937]
jbho: I think the takeaway here is that your privacy practices need to consider how they apply to casual consumers as well as enrolled customers, and make sure to get the necessary consent of all users.
UPDATE: 3Apr2018 – Defendant’s motion for summary judgment granted (Doc#161). The court found that plaintiff identified only two photos on Facebook:
- One taken in Pennsylvania and uploaded in Michigan
- One uploaded to a business account
Plaintiff confirmed his claims were based solely on the business page photo.
The record showed Facebook did not use facial recognition technology on photos uploaded to business accounts. Plaintiff failed to produce evidence to counter that claim – despite having (ample) access to those claims during the proceedings.
With this order, Gullen is dismissed from the settlement proceedings in In re Facebook Biometric Litigation
In re Facebook Biometric Litigation
Renewed motion to dismiss denied – Facebook allegedly collected, stored, and used biometric data without notice or consent required under the Illinois Biometric Information Privacy Act (BIPA). More here.
The court found:
(1) the statutory provisions of BIPA were established to protect plaintiff’s concrete interests:
• Biometrics are uniquely sensitive identifiers (“BIPA expressly recognizes that social security numbers do not implicate the kinds of privacy concerns that biometric identifiers do“)
• Biometric technology is a new frontier subject to unpredictable developments
• People are apprehensive of transactions involving their biometrics
• Regulation of biometric collection, use, and storage serves the public interest
(2) the alleged procedural violations presented a material risk of harm to concrete interests the Illinois legislature sought to protect. “(T)he plain text of BIPA as a whole, leaves little question that the Illinois legislature codified a right of privacy in personal biometric information (and) a violation of BIPA’s procedures would cause actual and concrete harm.”
The court also stated evidence submitted by Facebook contending BIPA notice and consent requirements were satisfied required a fact based inquiry ill-suited for a motion dismiss. “These dispositive disputes on the merits should be decided on summary judgment or at trial.”
[N.D. CA; 3:15-cv-03747]
jbho: the opinion builds on other recent, post-Spokeo decisions in the 9th, including Van Patten v. Vertical Fitness Group (9th Circ.; 14-55980) where the appellate court found that “a (single) violation of the TCPA is a concrete, de facto injury.” The court here felt “privacy torts do not always require additional consequences to be actionable” and that “when an online service simply disregards the Illinois procedures … the right of the individual to maintain her biometric privacy vanishes into thin air. The precise harm the Illinois legislature sought to prevent is then realized.”
A very compelling body of case law continues to evolve. Stay Tuned.
UPDATE: 16Apr2018 – class certified (Doc #333). The court found all the necessary elements of class certification were met, for a narrowed class of “Facebook users located in Illinois for whom Facebook created and stored a face template after June 7, 2011.” (Merely uploading a photograph did not necessarily mean that a face signature or template was collected or stored by Facebook.)
Notably, the court rejected Facebook’s contention that Commonality and Predominance were not met, based on the argument that determining whether each class member was aggrieved was an individual matter under Rosenbach v. Six Flags (Ill. App. Ct. 2nd Dist; 2-17-0317). The court disagreed, finding “the Rosenbach court expressly observed that Plaintiff did not allege in her complaint any harm or injury to a privacy right … the better reading is Rosenbach would find that injury to a privacy right is enough to make a person aggrieved under BIPA.” Furthermore, in Rosenbach, plaintiff expressly allowed his thumbprint to be scanned (not the case here).
The court also stated the geographic locations of Facebook servers were not a factor, as the present case was deeply rooted in Illinois. “The named plaintiffs are located in Illinois along with all of the proposed class members, and the claims are based on the application of Illinois law to use of Facebook mainly in Illinois.”
Remember also that the court previously declined to dismiss the case, finding BIPA violations were automatically a concrete harm.
UPDATE: 14May2018 – Cross motions for summary judgement denied (Doc#372). The court ruled the competing evidence showed a jury must resolve the genuine factual disputes surrounding facial scanning and recognition technology. On the one hand, plaintiffs argued a Facebook research paper captioned ‘DeepFace’ showed Facebook understood what it was collecting was “normally referred to as biometric data.” While a Facebook expert stated the technology “does not explicitly detect human-notable facial features (and) would still calculate a ‘face signature’ if provided with an image of something other than a face.”
The court rejected Facebook’s Commerce Clause arguments, finding the instant case was a lawsuit under an Illinois state statute on behalf of Illinois residents who used Facebook in Illinois. Moreover, evidence showed Facebook could activate or deactivate features for users in specific states with apparent ease, and nothing indicated that liability under BIPA would force Facebook to change its practices with respect to residents of other states.
Also worth noting, the court chastised Facebook for its continual reliance on Rosenbach v. Six Flags (Ill. App. Ct. 2nd Dist; 2-17-0317), which the court “expressly rejected … in considerable detail” and began the opinion stating “the question of whether Facebook is liable can be decided in “one stroke” for the class as a whole without a likelihood that individualized inquiries would overwhelm commonality and predominance.“
Barnes v. Arytza
Remanded to state court – Arytza (dba Otis Spunkmeyer and La Brea Bakery brands) allegedly collected plaintiff’s fingerprints (for employee timekeeping) without informing him of the purposes of use, retention, security, or deletion policies related to the collection, use, and storage of his fingerprints. Plaintiff claimed he was never provided, nor signed, a written release allowing Aryzta to collect and store his fingerprints.
Arytza had the case removed to federal court, then immediately filed a motion to dismiss for lack of subject matter jurisdiction (no standing under Spokeo). Plaintiff countered with a motion to remand to state court. Arytza then amended its motion to state the standing issue need not be resolved at this time. The court found the burden was on Arytza – as the moving party – to prove the federal court had jurisdiction, and the ‘wait and see’ approach did not support the basis for its removal petition. Since Arytza admitted that Article III standing based on Spokeo in the context of Plaintiff’s claims in the case was unsettled, the court had no choice but to remand to state court.
Moreover, since Arytzta flipped its arguments – first arguing the court did not have jurisdiction, then arguing it could decide later – the court ruled the case was unnecessarily prolonged and awarded plaintiff costs and attorney’s fees.
[N.D. Ill; 1:17-cv-07358]
jbho: I initially blogged about this tactic a year ago in Mocek v. AllSaints (N.D. Ill; 1:16-cv-08484) with the caveat that Spokeo doesn’t necessarily make cases go away, it just keeps them out of federal court. That was a FACTA case, but the findings were essentially the same – the strategy of asserting, then immediately disavowing, federal jurisdiction unnecessarily prolonged the proceedings. The court cited that case as part of the decision here.
The court also rejected Arytza’s bid to remove solely based on jurisdictional prerequisites under CAFA. “Notwithstanding its strategic withdrawal of its motion to dismiss for lack of subject matter jurisdiction, Defendant argues in opposition to Plaintiff’s motion to say that a court is without jurisdiction to decide a case on its merits yet has jurisdiction merely to remove the case is to state a contradiction.” (citation omitted)
However, in light of Rosenbach v. Six Flags (below) Arytza may still prevail on the actual harm argument. Stay tuned…
Rosenbach v. Six Flags
Certified questions answered and remanded – Six Flags allegedly collected plaintiff’s son’s thumbprint as part of a season-pass purchase; thumbprints to be used for park entry. Plaintiff claimed the biometrics were collected without informing her of the purposes of use, retention, security, or deletion policies. Plaintiff further alleged she never provided written consent for the collection, use, and storage of her son’s thumbprint.
The county court initially denied a motion to dismiss, but on a motion for reconsideration certified two questions to the appellate court: whether an individual is ‘aggrieved’ when the only injury alleged is a violation of disclosures and consent requirements of BIPA, and is thus entitled to (1) statutory damages, or (2) injunctive relief.
The court found to be ‘aggrieved’ under BIPA, one must have been adversely affected or harmed by an infringement of a legal right. Plaintiff failed to allege she or her son suffered any actual injury, or any harm or injury to a privacy right. She only stated she would not have purchased a season-pass had she known of Six Flags conduct. The court found that although injuries or adverse effects need not be pecuniary, plaintiff’s allegations of bare technical violations alone were insufficient to render her ‘aggrieved.’ Thus, she was entitled to neither statutory damages nor injunctive relief.
[Ill. App. Ct. 2nd Dist; 2-17-0317]
jbho: interesting to see Spokeo reasoning at the state court level. Per the court: “permitting a private cause of action for a mere technical violation … requires that the word ‘aggrieved’ be read out of the statute.” So no harm, no foul?
Or, will the county court allow plaintiff to amend her complaint on remand? I’ll keep my eyes peeled. Let me know if you hear something.
Four More Fingerprint Class Actions
All contain the allegations we’ve seen over, and over, and over…
‘EMPLOYER’ collected and stored plaintiff’s fingerprints without a written release, without disclosing a retention policy, and without defined disposal procedures, etc.
McGee v. RJW Transport [Cook Co. Circ. Ct.; 2017CH14077]
Ragsdale v. Paramount of Oak Park Rehabilitation & Nursing Center [Cook Co. Circ. Ct.; 2017CH13911]
Rapai v. Hyatt [Cook Co. Circ. Ct.; 2017CH14483]
Kiefer v. Bob Evans [10th Dist Circ. Ct.; 17-L-112]
jbho: The surge continues. Not much more to say than what I’ve already said below.
Yet Another Fingerprint Timekeeping Class Action
Freeman-McKee v. Alliance Ground
Class complaint – Alliance allegedly collected and stored plaintiff’s fingerprints as a part of an employee time-clocking process:
• without a written release,
• without disclosing a retention policy, and
• without informing her if biometric data would ever be permanently deleted.
[Cook Co. Circ. Ct.; 2017-CH-13636]
jbho: employers need to catch up on this new fertile ground for litigation. According to Law360, at least 26 employment related class actions have been filed.
https://www.law360.com/cybersecurity-privacy/articles/972212/the-new-wave-of-employee-biometrics-class-actions (subscription required)
Two More Biometric Timeclock Class Actions
Diaz v. Greencore (Peacock Foods)
Lundsteen v. Superior Air-Ground
Two class complaints were filed in early October. Both involve employer collection of fingerprints for work time tracking. The complaints contain the common allegations of failure to inform employees in writing of collection, purpose of use, how long retained, destruction practices, as well as a failure to get a valid consent under BIPA. The complaint against Superior alleged collection and use of the finger vein patterns in addition to fingerprints.
[Diaz v. Greencore – Cook Co. Sup. Ct.; 2017-CH-13198]
[Lundsteen v. Superior Air-Ground – Cook Co. Sup. Ct.; 2017-CH-13253]
jbho: all you have to do is copy and paste, and you’ve got a new class action.
Photo Scanning Lawsuit Will Continue
Monroy v. Shutterfly
Motion to dismiss denied – Shutterfly allegedly collected and stored plaintiff’s facial biometrics (derived from a photograph) when a photo of him was uploaded (by an undisclosed party) to Shutterfly. Plaintiff further alleged Shutterfly extracted his biometrics, and associated with his biometrics with additional information regarding his gender, age, race, and geographical location. Plaintiff claimed he was not a Shutterfly user, was unaware of the collection, was never provided with the statutorily required disclosures, and never consented to the collection or storage of his biometric information.
(1) BIPA did not apply to information obtained from photographs
(2) BIPA could not be applied extraterritorially
(3) Plaintiff failed to allege actual damages
The court found:
(1) While information obtained from a photograph was not ‘biometric information,’ a scan of face geometry obtained from a photograph did constitute a ‘biometric identifier.’ There was no requirement under BIPA for a scan to be performed in person, as other courts have found (e.g., Rivera v. Google [N.D. Ill; 1:16-cv-02714]).
(2) Plaintiff sufficiently alleged an Illinois nexus, since the photo was uploaded by a citizen of Illinois from a device physically in Illinois. Although plaintiff was a Florida resident, and Shutterfly was a Delaware corporation, it was unclear where scanning or storage took place, and discovery would be needed to get a clearer picture of the circumstances around plaintiff’s claims – at which point Shutterfly’s extraterritoriality argument could be addressed.
(3) A showing of actual damages was not necessary to state a claim under BIPA. The right of action under 740 ILCS 14/20 provided for liquidated damages or actual damages. The allegations of invasion of privacy were sufficient to survive a motion to dismiss.
[N.D. Ill; 1:16-cv-10984]
jbho: note that Shutterfly settled a nearly identical action for an undisclosed amount (Norberg v. Shutterfly, N.D. Ill; 1:15-cv-05351). In both cases, plaintiffs were represented by CAREY RODRIGUEZ MILIAN GONYA, LLP.
Customer Facial Scan Class Action
Morris v. Wow Bao
Class complaint – Wow Bao, and its corporate parent Lettuce Entertain You, allegedly used facial biometrics to authenticate purchases at self-serve checkouts, but failed to:
• inform plaintiff (and other consumers) in writing biometric information was being collected or stored
• inform plaintiff (and other consumers) of the specific purpose of use
• publicly post Wow Bao guidelines for permanently destroying biometric information
• publicly post how long biometric information would be kept
• receive a written consent from plaintiff (and other consumers) as required under BIPA
[Cook Co. Circ. Ct.; 2017-CH-12029]
jbho: a reminder to provide clear and conspicuous notice of collection, purpose of use, sharing, retention, and destruction practices for biometric data. Probably best to include in both your user agreements / privacy policies and Just-In-Time notices where written consent is obtained.
As the number of BIPA actions rise, the complaints are starting to look templatized. Compare this complaint to Howe v. Speedway below. Both suits were filled by the same firm.
Another Employee Fingerprint Class Action
Howe v. Speedway
Class complaint – Speedway allegedly required employees to use fingerprints to ‘clock-in’ and ‘clock-out’ of work, but failed to:
• inform plaintiff (and other employees) in writing biometric information was being collected or stored
• inform plaintiff (and other employees) of the specific purpose of use
• publicly post Speedway guidelines for permanently destroying biometric information
• publicly post how long biometric information would be kept
• receive a written release from plaintiff (and other employees) as required under BIPA
Plaintiff further claimed biometric information was shared with Speedway vendor Kronos, and alleged Kronos committed the same failures listed above.
[Cook Co. Circ. Ct.; 2017-CH-11992]
jbho: same comments as above. Insulate yourself from copy/paste complaints by buttoning up your disclosures and consent flows.
Grocer Tagged With Another Class Action For Employee Fingerprint Tracking
Doporcyk v. Roundy’s
Class complaint – Roundy’s allegedly forced plaintiff to use his fingerprints to clock ‘in’ and ‘out’ of his work shifts, despite the fact he was a salaried employee. Plaintiff further alleged Roundy’s failed to:
• inform him of the specific purpose(s) for which his biometric information was being collected or stored
• inform him how long his biometric information would be kept
• publicly disclose a retention schedule and how biometric information would be permanently destroyed
• obtain a written release from him evidencing his consent and use his (or class members) biometric information
Roundy’s also allegedly disclosed biometric information to an out-of-sate third-party vendor.
Plaintiff also filed wrongful termination claims, stemming from his concerns that his Roundy’s location was performing glucose tests without following proper hygiene procedures, and without proper lab ‘certifications’ in place. Plaintiff claimed he was terminated when he began investigating the ‘certification’ status of other Roundy’s locations.
[Cook Co. Sup. Ct.; 2017-CH-08092]
jbho: In this case, the BIPA claims are probably the less scandalous, but due to the private right of action the more profitable?
No shortage of drama here. The case makes for an interesting read, if nothing else.
Note that this is the second employment related BIPA case I’ve seen against Roundy’s (see below).
Baron v. Roundy’s
Class complaint – Roundy’s supermarkets allegedly forced employees to use fingerprints to clock ‘in’ and ‘out’ of their work shifts. Plaintiff’s alleged Illinois employees are required to submit fingerprints, but Roundy’s failed to:
• inform employees in writing that a biometric identifier or biometric information was being recorded, obtained, collected or stored
• inform employees in writing the specific purpose(s) for which biometric information was being recorded, obtained, collected or stored
• inform employees in writing the retention period for biometric identifiers or biometric information
• inform employees in writing how biometric identifiers or biometric information would be destroyed
• obtain employees’ proper written consent to the recording, collection, obtainment or storage of their biometric identifiers and biometric information derived therefrom
• obtain a written release from employees executed as a condition of employment
Plaintiff’s further alleged existing Illinois employees were retroactively required to submit fingerprints without proper notice and consent.
The case was removed to federal court 11 May 2017.
[N.D. Ill; 1:17-cv-03588(Orig: Cook Co. Cir. Ct.; 2017CH03281)]
jbho: Roundy’s was acquired by Kroger’s in 2015. BIPA was enacted in 2008, and it appears Roundy’s was scanning fingerprints back in 2013. I wonder if BIPA considerations were part of the M&A due diligence? One we should add to our checklists…
Video Game Maker Survives BIPA Face-Off
Vigil v. Take-Two
Dismissed with prejudice – Take-Two allegedly failed to provide adequate notice and consent for collection, storage, use, and retention of plaintiff’s biometric data. Plaintiffs used the ‘MyPlayer’ feature to create in-game characters with their faces. Plaintiffs followed in-game instructions (approximately a 15 minute process) after agreeing to the following terms and conditions:
Your face scan will be visible to you and others you play with and may be recorded or screen captured during gameplay. By proceeding you agree and consent to such uses and other uses pursuant to the End User License Agreement. http://www.take2games.com/eula
Plaintiffs alleged the disclosure was insufficient to inform them their biometric data was being captured, thus negating any consent. They further argued they could not return the opened game, and would not have purchased the game had they been adequately informed. Additionally, plaintiffs allege Take-Two failed to publicly provide a retention schedule or guidelines for destruction of biometric data. Finally, plaintiffs alleged the suffered economic losses in the form of misappropriation of their biometric data.
The court found:
- Take-Two only used the biometric data as both parties intended
- The game functioned exactly as plaintiffs expected (they agreed to the terms and scanned their faces)
- Any deficiencies in the notice were bare procedural violations
- that the notice used the term ‘face scan’ rather than ‘biometric identifier’ (“a statutory term of art”) had no real impact on BIPA interests
- Plaintiffs should have expected the face scan would need to be stored in order to use their faces in game play
- “a merely procedurally deficient notice does not automatically invalidate any resulting consent”
- Plaintiffs’ alleged apprehension based on hypothetical misuse was too speculative and abstract to support standing (citing Clapper v. Amnesty International: “(plaintiffs) cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.”)
- Appropriation claims failed since plaintiffs consented to the face scans (particularly since plaintiffs failed to allege Take-Two had used their facial scans to promote or advertise its game, or otherwise profit by using or selling their data).
- There was no intrusion since plaintiffs consented to the face scans
- Unlawful retention alone, absent some form of alleged disclosure or misuse, did not constitute a concrete injury (plaintiffs did not allege their face scans had been obtained or misused).
- Benefit of the bargain arguments failed since
- plaintiff pled no breach of contract or unjust enrichment claims
- legal compliance is not ordinarily presumed to be part of a contractual bargain
- The court also found that under Illinois law, to be ‘aggrieved’ meant more than just a ‘zone-of-interest’ nexus; there must be a direct link between the statutory violation and the resultant harm.
The court found further amendment to the FAC would be futile, and dismissed the complaint with prejudice.
UPDATE: 21Nov2017 – The 2nd Circuit has affirmed the dismissal. The appellate court ruled plaintiffs consented to the scans after seeing the necessary (written) disclosures and sitting for the 15 minute face scanning process. As for failing to inform plaintiffs of retention and destruction policies, plaintiffs failed to allege any harm, or that Take-Two had not, or would not, destroy their biometric information. Finally, on the level of security implemented by Take-Two, plaintiffs failed to allege any material risk that their biometric data would be improperly accessed by third parties. Since fear, without more, was insufficient to confer an Article III injury-in-fact, the district court did not err in dismissing the case for lack of subject matter jurisdiction. However, since the court lacked subject matter jurisdiction, it could not dismiss the claims with prejudice. The case was remanded to be dismissed without prejudice.
[2nd Circ.; 17-303]
[S.D. N.Y.; 1:15-cv-08211]
jbho: a detailed opinion that I believe can help plan disclosures and policy items around BIPA compliance – well worth a dive into the 50 page opinion. And it’d be great to have someone double check my work.
As I see it, lessons here include:
- If data use falls within the realm of consumer expectations, you may not need to worry about minor wording choices in your notice
- however, statements still can’t be misleading or deceptive
- If you don’t share, there is no harm
- still best to destroy data on a regular schedule, even if it’s not called out in your notice
- If someone is surprised by how your product works after-the-fact, let them return the product – even if it falls outside your normal refund policies (consistent with OTA IoT guidelines)
Bottom line: it appears consent is dispositive. With no misuse, all that remains are ‘bare procedural violations’?
Native Photo App Needs More Scrutiny
Rivera v. Google
Motion to dismiss denied – Google, through its built-in android ‘Google Photos’ app, allegedly applied a proprietary facial recognition technology to every photo uploaded by the app. Google then allegedly used the face templates to organize and group photos, irrespective (allegedly) of whether the face belongs to a Google Photos user or non-user.
• Plaintiff Weiss, who purchased a Google ‘Droid’, claimed Google used his face template to recognize his gender, age, race, and location.
• Plaintiff Rivera, who claims to have never had a Google ‘Droid’, claimed Google user her face template to recognize her gender, age, race, and location.
Google allegedly did the above without informing either plaintiff, without obtaining written consent, and without specifying retention policies and destruction guidelines as required under BIPA.
On Google’s claim information derived from photographs is not covered under BIPA (740 ILCS 14/10), the court found a straight forward reading of BIPA indicated that Google was creating Biometric Identifiers (“scan of … face geometry”). The scans do not necessarily have to be performed live [“(I)t is unlikely that the statute sought to limit the definition of biometric identifier by limiting how the measurements are taken.” (emphasis in original)] Once discovery revealed what Google was actually doing, it could be determined that the Google’s process was not creating Biometric Identifiers. But at the motion to dismiss phase, Plaintiffs’ allegations must be taken as true.
On Google’s claim the contested activity did not take place in Illinois, the court found it persuasive that plaintiffs were Illinois residents, photos were taken in Illinois, and uploaded to the cloud in Illinois. Even if the scanning took place outside of Illinois,
more information was needed on the totality-of-circumstances to determine if Illinois law applied.
On Google’s claim BIPA conflicts with the federal Constitution’s Dormant Commerce Clause, the court found that again that more information was needed to determine whether the activity occurred wholly outside Illinois.
[N.D. Ill; 1:16-cv-02714]
jbho: wow – 20 pages of dicta on the definitions of biometric identifier and biometric information, including analysis of the legislative process in developing BIPA. Very informative and worth the read if you have time.
For the record, 740 ILCS 14/10 says:
Sec. 10. Definitions. In this Act:
“Biometric identifier” means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Biometric identifiers do not include … photographs … demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. (emphasis added)
“Biometric information” means any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers.
First Settlement Reached Under Illinois’ Biometric Law
Sekura v. LA Tan
$1.5M settlement approved – LA Tan allegedly used fingerprint scanning technology to identify its customers in a membership database, but failed to: 1) obtain written consent 2) provide information about how it would store the biometric data and 3) if/when/how the data would be destroyed. No alternative to the fingerprint was offered. Highlights include:
• $1,500,000 settlement fund
• $125 for each class member
• $5,000 for class representative
• $600,000 for class counsel (%40 of settlement fund)
LA Tan must also either put processes in place to comply with BIPA or destroy all biometric data it still holds.
[Circuit Court of Cook County; 2015-CH-16694]
jbho: In the absence of clear guidance, it may be worth considering to:
- Provide clear and conspicuous notice of the collection, purpose of use, and potential disclosures of information that might be considered ‘biometric’
- Obtain express consent of the individual
- Provide clear and conspicuous notice of opt-out procedures
- Specify your retention practices